Data Processing Agreement (DPA / AVV)
Draft for review — the executed DPA must be reviewed by qualified counsel before signature.
Under Article 28 UK GDPR / DSGVO, every school (controller) that uses Onyx (processor) must have a written Data Processing Agreement in place before any personal data is processed.
What the DPA covers
- Subject matter, duration, nature and purpose of processing
- Type of personal data and categories of data subjects, including children
- Processing only on the controller's documented instructions
- Confidentiality of personnel with access to data
- Technical and organisational security measures (TOMs)
- Sub-processor list and flow-down obligations
- Assistance with data-subject rights (access, erasure, portability)
- Deletion or return of data at the end of the contract
- Audit rights for the controller
Sub-processors
| Sub-processor | Purpose | Region |
|---|
To request the current signed DPA/AVV pack, contact «DATA PROTECTION / DPO EMAIL».